San Jose quietly spent weeks sorting out a lost USB drive loaded with worker data before telling the people whose information was on it, leaving some city employees wondering why they were the last to know.
The city notified current and former workers this month that a missing USB drive from January may have exposed personnel records, including Social Security numbers. City administrators learned the device was gone on Jan. 12 and alerted police about a week later. Letters to employees, however, went out with a Feb. 9 date, according to people who reviewed the notices.
Officials say there is still no sign anyone actually accessed the data, and the city is offering affected workers a complimentary year of credit monitoring.
City launches probe after worker reports missing drive
The notification letter, reviewed by San José Spotlight, says city administrators opened an internal investigation after a "workforce member" reported the USB drive missing and that law enforcement was notified.
"Although, to date, we have no evidence that any information was actually viewed, accessed, acquired, or has been misused," a City Manager’s Office spokesperson told San José Spotlight. The city says staff are now reviewing data storage and transfer procedures in an effort to prevent a repeat.
Experts and union leaders say the warning came late
Cybersecurity experts and union representatives told reporters they are troubled not just by the delay but by the fact that sensitive information was on a USB stick in the first place.
Ahmed Banafa, an engineering professor at San Jose State University, asked, "Who is still using USB drives for sensitive information?" AFSCME representative John Tucker added that "Social Security numbers don't expire," and both told San José Spotlight they worry a single year of credit monitoring may not fully cover the long-term risk.
What workers can do to protect themselves
Exposed Social Security numbers can be used for fraud months or even years after a breach, so federal guidance urges people to act quickly. Recommended steps include placing a fraud alert or a free credit freeze with each of the three major credit bureaus, checking credit reports frequently, and using IdentityTheft.gov to file a report and generate a recovery plan.
The Federal Trade Commission notes that credit monitoring services can flag suspicious account activity but do not by themselves prevent identity theft. Pairing monitoring with a freeze or fraud alert generally offers stronger protection.
City promises policy review, offers one-year monitoring
In its letters, the city tells workers it will cover a complimentary one-year credit monitoring service for those affected and reiterates that officials are reviewing data storage and transfer policies in light of the incident.
A breach-tracking legal site also summarized the city's notice and the one-year monitoring offer, and labor advocates say longer-term protections and clearer transparency are likely to be demanded if additional details surface, according to Class Action U.
Workers and advocates say the episode raises broader questions about how San Jose handles sensitive records as it leans more heavily on technology in city services. The investigation remains open, and employees say they are looking for concrete answers on how many people were affected and what specific steps the city will take to avoid a similar scare in the future.
